berrypod/lib/berrypod_web/plugs/verify_printify_webhook.ex

defmodule BerrypodWeb.Plugs.VerifyPrintifyWebhook do
  @moduledoc """
  Verifies Printify webhook signatures using HMAC-SHA256.

  Expects:
  - Raw body cached in conn.assigns[:raw_body]
  - X-Pfy-Signature header in format "sha256={hex_digest}"
  - Webhook secret stored in provider connection config
  """

  import Plug.Conn
  require Logger

  alias Berrypod.Products

  def init(opts), do: opts

  def call(conn, _opts) do
    with {:ok, signature} <- get_signature(conn),
         {:ok, secret} <- get_webhook_secret(),
         :ok <- verify_signature(conn.assigns[:raw_body], secret, signature) do
      conn
    else
      {:error, reason} ->
        Logger.warning("Printify webhook verification failed: #{reason}")

        conn
        |> put_resp_content_type("application/json")
        |> send_resp(401, Jason.encode!(%{error: "Invalid signature"}))
        |> halt()
    end
  end

  defp get_signature(conn) do
    case get_req_header(conn, "x-pfy-signature") do
      ["sha256=" <> hex_digest] -> {:ok, hex_digest}
      [_other] -> {:error, :invalid_signature_format}
      [] -> {:error, :missing_signature}
    end
  end

  defp get_webhook_secret do
    case Products.get_provider_connection_by_type("printify") do
      %{config: %{"webhook_secret" => secret}} when is_binary(secret) and secret != "" ->
        {:ok, secret}

      _ ->
        {:error, :no_webhook_secret}
    end
  end

  defp verify_signature(body, secret, expected_hex) do
    computed =
      :crypto.mac(:hmac, :sha256, secret, body || "")
      |> Base.encode16(case: :lower)

    if Plug.Crypto.secure_compare(computed, String.downcase(expected_hex)) do
      :ok
    else
      {:error, :signature_mismatch}
    end
  end
end
rename project from SimpleshopTheme to Berrypod All modules, configs, paths, and references updated. 836 tests pass, zero warnings. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-18 21:23:15 +00:00			`defmodule BerrypodWeb.Plugs.VerifyPrintifyWebhook do`
feat: add Printify webhook endpoint for real-time product updates - Add /webhooks/printify endpoint with HMAC-SHA256 signature verification - Add Webhooks context to handle product:updated, product:deleted events - Add ProductDeleteWorker for async product deletion - Add webhook API methods to Printify client (create, list, delete) - Add register_webhooks/2 to Printify provider - Add mix register_webhooks task for one-time webhook registration - Cache raw request body in endpoint for signature verification Usage: 1. Generate webhook secret: openssl rand -hex 20 2. Add to provider connection config as "webhook_secret" 3. Register with Printify: mix register_webhooks https://yourshop.com/webhooks/printify Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-31 22:41:15 +00:00			`@moduledoc """`
			`Verifies Printify webhook signatures using HMAC-SHA256.`

			`Expects:`
			`- Raw body cached in conn.assigns[:raw_body]`
			`- X-Pfy-Signature header in format "sha256={hex_digest}"`
			`- Webhook secret stored in provider connection config`
			`"""`

			`import Plug.Conn`
			`require Logger`

rename project from SimpleshopTheme to Berrypod All modules, configs, paths, and references updated. 836 tests pass, zero warnings. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-18 21:23:15 +00:00			`alias Berrypod.Products`
feat: add Printify webhook endpoint for real-time product updates - Add /webhooks/printify endpoint with HMAC-SHA256 signature verification - Add Webhooks context to handle product:updated, product:deleted events - Add ProductDeleteWorker for async product deletion - Add webhook API methods to Printify client (create, list, delete) - Add register_webhooks/2 to Printify provider - Add mix register_webhooks task for one-time webhook registration - Cache raw request body in endpoint for signature verification Usage: 1. Generate webhook secret: openssl rand -hex 20 2. Add to provider connection config as "webhook_secret" 3. Register with Printify: mix register_webhooks https://yourshop.com/webhooks/printify Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-31 22:41:15 +00:00
			`def init(opts), do: opts`

			`def call(conn, _opts) do`
			`with {:ok, signature} <- get_signature(conn),`
			`{:ok, secret} <- get_webhook_secret(),`
			`:ok <- verify_signature(conn.assigns[:raw_body], secret, signature) do`
			`conn`
			`else`
			`{:error, reason} ->`
			`Logger.warning("Printify webhook verification failed: #{reason}")`

			`conn`
			`\|> put_resp_content_type("application/json")`
			`\|> send_resp(401, Jason.encode!(%{error: "Invalid signature"}))`
			`\|> halt()`
			`end`
			`end`

			`defp get_signature(conn) do`
			`case get_req_header(conn, "x-pfy-signature") do`
			`["sha256=" <> hex_digest] -> {:ok, hex_digest}`
			`[_other] -> {:error, :invalid_signature_format}`
			`[] -> {:error, :missing_signature}`
			`end`
			`end`

			`defp get_webhook_secret do`
			`case Products.get_provider_connection_by_type("printify") do`
			`%{config: %{"webhook_secret" => secret}} when is_binary(secret) and secret != "" ->`
			`{:ok, secret}`

			`_ ->`
			`{:error, :no_webhook_secret}`
			`end`
			`end`

			`defp verify_signature(body, secret, expected_hex) do`
			`computed =`
			`:crypto.mac(:hmac, :sha256, secret, body \|\| "")`
			`\|> Base.encode16(case: :lower)`

			`if Plug.Crypto.secure_compare(computed, String.downcase(expected_hex)) do`
			`:ok`
			`else`
			`{:error, :signature_mismatch}`
			`end`
			`end`
			`end`